From e9fed06432ebe404e8e43a6e0abf3a1ec5161dfb Mon Sep 17 00:00:00 2001
From: Andrew Cady <d@jerkface.net>
Date: Sat, 9 Oct 2021 08:50:54 -0400
Subject: locally authenticate cryptonomic.net self-authenticating names

this is pretty sweet
---
 cryptonomic-vpn | 38 +++++++++++++++++++++++++++++++++++---
 1 file changed, 35 insertions(+), 3 deletions(-)

diff --git a/cryptonomic-vpn b/cryptonomic-vpn
index d983e60..bdb8f41 100755
--- a/cryptonomic-vpn
+++ b/cryptonomic-vpn
@@ -167,8 +167,10 @@ main()
     if [ "$NO_ACT" ]
     then
         exec 2>&1
-        install_local_private_key
+        # Start with the remote public key, to fail early if the server is
+        # unavailable.
         install_remote_public_key
+        install_local_private_key
         test_new_config
     else
         die unimplemented
@@ -277,11 +279,41 @@ install_local_private_key()
     rm -f "$private_key_tmp"
 }
 
+b16_to_b32()
+{
+    printf %s "$1" | basez -x -d | basez -j -l | tr -d =
+}
+
+key_to_domain_suffix()
+{
+    [ -f "$1" ] || return
+    local keytype=1 hashtype=2 sshfp_b16 sshfp_b32
+    sshfp_b16=$(ssh-keygen -r . -f "$1" | sed -ne "s/^. IN SSHFP $keytype $hashtype //p") &&
+        [ "$sshfp_b16" ] || die "could not determine ssh client fingerprint"
+    sshfp_b32=$(b16_to_b32 "$sshfp_b16")
+
+    printf %s.%s.%s "$sshfp_b32" "$REMOTE_KEY_TYPE" cryptonomic.net | tail -c64
+}
+
+validate_public_key()
+{
+    local suffix keyfile="$1" name="$2"
+    [ "$keyfile" ]
+    [ "$name" ]
+    suffix=$(key_to_domain_suffix "$keyfile")
+
+    case "$name" in
+        *."$suffix" | "$suffix" ) true  ;;
+        *                       ) false ;;
+    esac
+}
+
 install_remote_public_key()
 {
     trap 'rm -f "$t"' EXIT
     t=$(mktemp)
     keyscan "$REMOTE_IP" | match_and_drop_first_word "$REMOTE_IP" > "$t"
+    validate_public_key "$t" "$REMOTE_NAME" || die 'cannot authenticate remote public key'
     write_successfully /etc/swanctl/pubkey/"$REMOTE_NAME".pub -- write_remote_key "$t"
     trap - EXIT
     rm -f "$t"
@@ -297,7 +329,7 @@ strongswan_config()
     local conn="$1" remote_addrs="$2" local_key="$3"
     local public_key_file="$4" private_key_file="$5"
     local remote_ts=0::0/0 vips=::
-    id=$(key_to_suffix "$local_key") || return
+    id=$(key_to_ip_suffix "$local_key") || return
     sed -e 's/^        //' <<END
         connections {
             ${conn} {
@@ -327,7 +359,7 @@ strongswan_config()
 END
 }
 
-key_to_suffix()
+key_to_ip_suffix()
 {
     local keytype=1 hashtype=2
     ssh-keygen -r . -f "$1" | sed -E -ne 's/^. IN SSHFP '"$keytype $hashtype"' .{48}(.{4})(.{4})(.{4})(.{4})$/\1:\2:\3:\4/p'
-- 
cgit v1.2.3